IAM permissions for using Amazon Q Apps

If the users of your deployed web experience want to create lightweight, purpose-built Amazon Q Apps within your broader Amazon Q Business application environment, you must include the following policy permissions.

Note

This Amazon Q Apps IAM policy released on July 10, 2024 supports the ability for users to view and specify approved data sources at the card-level and use other future features. To use these features, you must update all roles for Amazon Q Apps that have been created prior to this date with this new policy.

Change	Description	Date
Added Permission to `CreatePresignedUrl`	This new API allows users to leverage the improved file limits in Amazon Q Apps. You can now upload files with size up to 10MB (per file card).	11/22/2024
Added Permissions to `DescribeQAppPermissions` and `UpdateQAppPermissions`	These new APIs allows users privately share Amazon Q Apps to leverage the improved file limits in Amazon Q Apps. You can now upload files with size up to 10MB (per file card).	11/22/2024
Added permissions related to management of persistent sessions.	These new APIs allows users to start, manage and terminate long running collaborative data collection sessions to leverage the improved file limits in Amazon Q Apps. You can now upload files with size up to 10MB (per file card).	11/22/2024

Topics

Capabilities available with Amazon Q Apps
IAM permissions for users to view and specify approved data sources in Amazon Q Apps

If you want to use Amazon Q Apps, your web experience IAM role needs the following additional permissions:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "QAppsResourceAgnosticPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:CreateQApp",
        "qapps:PredictQApp",
        "qapps:PredictProblemStatementFromConversation",
        "qapps:PredictQAppFromProblemStatement",
        "qapps:ListQApps",
        "qapps:ListLibraryItems",
        "qapps:CreateSubscriptionToken"
      ],
      "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
    },
    {
      "Sid": "QAppsAppUniversalPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:DisassociateQAppFromUser"
      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*"
    },
    {
      "Sid": "QAppsAppOwnerPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:GetQApp",
        "qapps:CopyQApp",
        "qapps:UpdateQApp",
        "qapps:DeleteQApp",
        "qapps:ImportDocument",
        "qapps:ImportDocumentToQApp",
        "qapps:CreateLibraryItem",
        "qapps:UpdateLibraryItem",
        "qapps:StartQAppSession",
        "qapps:DescribeQAppPermissions",
        "qapps:UpdateQAppPermissions",
        "qapps:CreatePresignedUrl"
      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:UserIsAppOwner": "true"
        }
      }
    },
    {
      "Sid": "QAppsPublishedAppPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:GetQApp",
        "qapps:CopyQApp", 
        "qapps:AssociateQAppWithUser",
        "qapps:GetLibraryItem",
        "qapps:CreateLibraryItemReview",
        "qapps:AssociateLibraryItemReview",
        "qapps:DisassociateLibraryItemReview",
        "qapps:StartQAppSession",
        "qapps:DescribeQAppPermissions"

      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:AppIsPublished": "true"
        }
      }
    },
    {
      "Sid": "QAppsAppSessionModeratorPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:ImportDocument",
        "qapps:ImportDocumentToQAppSession",
        "qapps:GetQAppSession",
        "qapps:GetQAppSessionMetadata",
        "qapps:UpdateQAppSession",
        "qapps:UpdateQAppSessionMetadata",
        "qapps:StopQAppSession",
        "qapps:ListQAppSessionData",
        "qapps:ExportQAppSessionData",
        "qapps:CreatePresignedUrl"

       ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:UserIsSessionModerator": "true"
        }
      }
    },
    {
      "Sid": "QAppsSharedAppSessionPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:ImportDocument",
        "qapps:ImportDocumentToQAppSession",
        "qapps:GetQAppSession",
        "qapps:GetQAppSessionMetadata",
        "qapps:UpdateQAppSession",
        "qapps:ListQAppSessionData",
        "qapps:CreatePresignedUrl"
      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:SessionIsShared": "true"
        }
      }
    }
  ]
}

Capabilities available with Amazon Q Apps

The Amazon Q Apps IAM policy allows your web experience users permissions to do the following:

Amazon Q Apps capabilities:
- Create a Q App (API)
- Get the status and other information on a Q App (API)
- Update a Q App (API)
- List all created Q Apps (API)
- Delete a Q App (API)
- Start a Q App run (session) (API)
- Stop a Q App run (session) (API)
- Upload files to a Q App run (session) (API)
- Converts a conversation into a (text string) problem statement (API)
- Convert a problem statement into a proposed Q App (API)
Amazon Q Apps library capabilities:
- Publish a Q App by adding items to your Q Apps library (API)
- Get the status and other information on a Q App (item) in your Q Apps library (API)
- Update a published Q App (item) in your Q Apps library (API)
- List all Q Apps (items) from your Q Apps library (API)
- Delete a Q App (item) from your Q Apps library (API)
- Like (rate) a Q App item from your Q Apps library (API)

IAM permissions for users to view and specify approved data sources in Amazon Q Apps

(Optional) You must add the following permissions to the Amazon Q Apps policy to allow Q Apps users to view and specify approved data sources in their app.

Note

If you are using permissions for Amazon Q Apps created prior to July 10, 2024, you must update your role with the new Amazon Q Apps permissions for your users to have access to use the permissions to view and specify approved data sources and other future features in Q Apps.


{
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "QBusinessIndexPermission",
                        "Effect": "Allow",
                        "Action": [
                            "qbusiness:ListIndices"
                        ],
                        "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
                    },
                    {
                        "Sid": "QBusinessDataSourcePermission",
                        "Effect": "Allow",
                        "Action": [
                            "qbusiness:ListDataSources"
                        ],
                        "Resource": [
                            "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
                            "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/*"
                        ]
                    },
                ]
            }

Note

If any of these permissions are removed, then you run the risk of your web experience users not being able to create and run their own Q Apps properly.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM Federation web experience

Data source connectors